Wireshark GeoIP resolution setup V2.0

I already wrote a blog post about setting up GeoIP resolution for Wireshark in 2013. Now, almost exactly five years later I had to decide if I replace that one with an updated version, or to write a second, updated post instead. I choose the second option.

Since it happens that users run on old Wireshark versions for various reasons I decided against rewriting the existing blog post, even though I always recommend choosing the latest stable version. But sometimes it can’t be helped, e.g. when the OS repositories like Debian’s APT only offer old versions, or if you need a specific version to run custom plugins. Anyway, if you need to setup GeoIP resolution for versions before Wireshark version 2.6, look at this post instead.

In general GeoIP resolution maps IP addresses to physical locations and/or ASNs. This can be helpful to determine the origin or target of a communication, e.g. when performing network forensic tasks.

Wireshark 2.6 and GeoLite2

Starting with Wireshark 2.6, the format the GeoIP database used by Wireshark has changed to use the newer GeoLite2 format of the MaxMind databases. If you had configured an older Wireshark version with the previous “legacy” databases you’ll have to remove the old legacy DB files and replace them with the new ones, as well as reconfigure the 2.6 installation with new preference settings to point them to the database files. But first, you need to get them at https://dev.maxmind.com/geoip/geoip2/geolite2/

Figure 1 – GeoLite2 Download

Unpack the database files into a directory of your choice. I usually put them into a sub directory of my Wireshark profile folder, which would be c:\Users\Jasper\Appdata\Roaming\Wireshark\GeoIP:

Figure 2 – GeoIP Database Folder

Hint: Make sure that you put the .mmdb files into the directory you want to use, not the compressed archives. Also, do not put the files in sub folders – they all need to be in a single directory.

Then it’s time to reconfigure Wireshark:

Figure 3 – Wireshark GeoIP folder setup

In my experience, Wireshark doesn’t always immediately show GeoIP resolutions, but at least after restarting it the decode pane should show the results:

Figure 4 – Wireshark GeoIP Resolution

Command line bonus

If you looked closely at the Wireshark 2.6 installer you may have noticed that there is a new command line utility called mmdbresolve. This is a tool that can be used to perform GeoIP resolutions via the CLI. First I tried it like this (my inputs in green):

[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb 81.209.179.74
[init]
db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
db.0.status: OK
db.1.type: GeoLite2-City
mmdbresolve.status: true
# End init
Usage: mmdbresolve -f db_file [-f db_file ...]

[C:\Program Files\Wireshark]

This obviously didn’t work. Using the tool without an IP address put it into an interactive mode:

[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
[init]
db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
db.0.status: OK
db.1.type: GeoLite2-City
mmdbresolve.status: true
# End init
81.209.179.74
[81.209.179.74]
# GeoLite2-City
country.iso_code: DE
country.names.en: Germany
location.latitude: 51.299300
location.longitude: 9.491000
# End 81.209.179.74

^C
[C:\Program Files\Wireshark]

But after fiddling around a bit I found a way to get it to work:

[C:\Program Files\Wireshark]echo 81.209.179.81 | mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-A
SN.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb
[init]
db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
db.0.status: OK
db.1.type: GeoLite2-City
db.1.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-ASN.mmdb
db.1.status: OK
db.2.type: GeoLite2-ASN
db.2.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb
db.2.status: OK
db.3.type: GeoLite2-Country
mmdbresolve.status: true
# End init
[81.209.179.81]
# GeoLite2-City
country.iso_code: DE
country.names.en: Germany
location.latitude: 51.299300
location.longitude: 9.491000
# GeoLite2-ASN
autonomous_system_organization: FNH media KG
autonomous_system_number: 31197
# GeoLite2-Country
country.iso_code: DE
country.names.en: Germany
# End 81.209.179.81

[C:\Program Files\Wireshark]

Have fun.

 

Discussions — 12 Responses

  • Johannes Weber May 7, 2018 on 10:17 am

    Do you already have experiences with IPv6 and GeoIP?

    Reply
    • Jasper Johannes Weber May 7, 2018 on 11:03 pm

      Yes, as far as having seen that it worked, using the beta IPv6 databases in legacy format – I didn’t really verify the results though.

      Reply
  • Christopher Maynard May 7, 2018 on 4:05 pm

    REM Below is a basic batch file to help with GeoIP lookups from the command-line.

    @ECHO OFF
    SETLOCAL

    SET BAT=%~NX0
    IF “%~1” == “” (
    GOTO USAGE
    )

    SET GEOIP_PATH=%APPDATA%\Wireshark\GeoIP
    ECHO %1 | mmdbresolve -f %GEOIP_PATH%\GeoLite2-City.mmdb -f %GEOIP_PATH%\GeoLite2-ASN.mmdb -f %GEOIP_PATH%\GeoLite2-Country.mmdb
    GOTO :EOF

    :USAGE
    ECHO Usage: %BAT% ^

    Reply
  • Gerald Combs May 7, 2018 on 8:16 pm

    If you’re using Wireshark 2.4 or earlier you should be aware that MaxMind is discontinuing their GeoLite Legacy databases: https://dev.maxmind.com/geoip/legacy/geolite/

    Reply
    • Jasper Gerald Combs May 7, 2018 on 11:04 pm

      Thanks Gerald, maybe that’ll move a few more people off of old Wireshark versions :D

      Reply
  • Christopher Maynard May 7, 2018 on 8:49 pm

    Note that there is a bug with the Endpoints dialog with respect to GeoIP lookups: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14656

    Reply
    • Jasper Christopher Maynard May 7, 2018 on 11:01 pm

      Thanks, Chris, that’s good to know :)

      Reply
  • Vladimir May 8, 2018 on 10:55 am

    Just wondered why my 192.168.99.101 local IP was interpreted as ‘Guam Yigo Village’ :)

    Reply
    • Jasper Vladimir May 8, 2018 on 11:06 am

      LOL – maybe someone sneaked that info into the DB files :D

      Reply
  • Christian Reusch May 10, 2018 on 7:00 pm

    Very useful article. Was not aware of that change before I read your article

    Reply
  • Timo May 11, 2018 on 8:44 am

    Do you have any articles for IP2Location LITE?

    Reply
    • Jasper Timo May 11, 2018 on 11:35 am

      No, sorry – I assume you mean using IP2Location LITE with Wireshark? As far as I know Wireshark doesn’t support IP2Location databases – if you’d like to see them to be supported I’d recommend opening a feature request at https://bugs.wireshark.org. Maybe somebody will look into it then.

      Reply

Leave a Reply to Johannes Weber Cancel reply

*